The article clarifies how to configure a Dynamic Zone to block network traffic based on the IP address type. Dynamic Zones help protect accounts by blocking IP addresses that use Tor anonymizer proxies, which reduces the impact of attacks such as password spray attacks.

• Network Zone
• Proxies
• Password spray attack

An attacker uses random anonymizer proxy IP addresses for password spray attacks.

Follow these steps to create a Dynamic Zone that blocks specific IP types:

1. Go to Security > Networks in the Admin Console.

2. Click Add Zone > Dynamic Zone.

3. Enter a name for the zone.

4. Select the Block access from IPs matching conditions listed in this zone checkbox.

5. For IP type, select Any, Any Proxy, Tor anonymizer proxy, or Not Tor anonymizer proxy.

NOTE: The Dynamic Zone blocks any incoming traffic from proxy IPs that match the selected type. The accuracy of Tor proxy detection depends on a third-party vendor, which identifies IP addresses that use Tor. The proxy type is only used to evaluate whether a proxy is Tor or not.

6. Click Save.

Related References

• Block IP Address based on IP Service Category using Enhanced Dynamic Network Zone
• How are the Proxy IPs in the Network Zones used in Okta
• Blocklist proxies with high sign-in failure rates